I am new to Snort and am using it to investigate the detectability of a given malware. I was writing my first custom rules and tested them. During that process I additionally received the following two alerts:
[129:20:1] TCP session without 3-way handshake [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
[129:12:2] Consecutive TCP small segments exceeding threshold [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
I wasn't able to locate the files in which these alerts are defined and couldn't find helpful information on the internet either. I stumbled upon the snort-sigs archives which are concerningly confusing and unhelpful. Can someone tell me what triggers the two presented alerts or where I could find useful information?
in snort.conf go to line 273 (default conf) check for: preprocessor stream5_global: track_tcp yes just change it the yes into no, that should remove the Consecutive TCP small segments exceeding threshold alert on log. sorry bad english